Cloud computing risk factors

Cloud computing risk factors, and the real and imaginary bogeymen that lurk in data centres

Tuesday, October 18, 2011 | Dan Blacharski

Nearly every company, from one-person startups to FTSE 100 enterprises, either has an active cloud strategy or is at least considering one. The maturity of the technology and robustness of cloud data centre offerings has overcome most irrational fears of the cloud and the technology has earned its place in the canon of acceptable business practices.

Excitement abounds over the prospect of lowered or nonexistent capital expenditure, the ability to roll out a project on a moment's notice, and the incredible scalability that the cloud offers. There is little doubt that the cloud is perhaps the greatest disruptive innovation since the dawn of the Industrial Revolution, but one must temper irrational exuberance with a realistic approach to mitigating threats before moving on with a solid cloud strategy.
One of the greatest threats to consider is this simple reality: If the good guys think the cloud is wonderful, then the bad guys will probably think the same. IaaS providers, delivering infinitely scalable capacity, low start-up costs and superb ease of use, make it easy for legitimate companies to get up and running - but at the same time, they make it easy for hackers, spammers, and cyber-criminals to ply their trades as well. According to the Cloud Security Alliance, botnets often turn to IaaS servers, and the cloud can be used as a launching pad for any number of attacks. This unfortunate fact is not due to any inherent flaw in the cloud model itself, but rather, because of poor practices on the part of some cloud providers. A weak registration system for example, promotes anonymity. That anonymity, whilst rightly championed by privacy advocates, also does provide an unfortunate cover for those who would do harm in the online world.

A potential weak spot in some cloud platforms too, is in the APIs that are used to allow customers to interact with cloud services. Some of the earliest cloud platforms added security more as an afterthought, instead relying on the cloud provider to add security at the point of delivery - not always a good strategy. A secure platform eliminates the need to "re-invent the security wheel", and include proven security in the very foundation of the cloud delivery model. The interfaces used to allow customers to interact with the cloud must include authentication, access control, encryption and monitoring. Weak platforms that include anonymous access, reusable passwords or clear-text authentication are a disaster in waiting. Fortunately, it needn't be so, and more modern cloud platforms and platforms-as-a-service are incorporating strong authentication and access control from the very beginning.

Another potential threat (which can nonetheless be easily overcome with due diligence) is the threat of insider attack on the cloud provider side. Without a thorough understanding of who has access and to what degree, a cloud customer may be left wondering whether everyone from the cloud data center manager to the cleaning lady can casually log onto their account and steal data. Fortunately, transparency, service level agreements and guarantees, and a clear security breach notification process can easily overcome this potential threat.

There are additional threats and mitigating factors (discussed in part two of this article), but we will close by saying this: Every computing practice invented ever since we stopped using cardboard punch cards does carry some risk. Rather than hopelessly seeking out a risk-free computing model, the better approach is to define those risks ahead of time, research providers to get a better understanding of how they mitigate those risks, and then go forward without fear of the unknown.
  • Print
  • Send to a friend